From nobody Fri Jul 25 17:39:14 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bpZqk33dNz627cF;
	Fri, 25 Jul 2025 17:39:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bpZqk2Fh5z3S1R;
	Fri, 25 Jul 2025 17:39:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1753465154;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lbnY2PZBQ/g7wij15XLksgfvT5W/oEMe6YHLHZWunfc=;
	b=nRr+omM7Lci+v/lqO2TIzF4F4qL5w37eK1HGO6mL9IqOp4N8nu6OzeUzBCZPZiwJMU5JtF
	wzg2jRKQJXR/tM3qrtYhx39WfKGhx600pBq+ykPrh4MG5u3yHbbB+/3/yzyGBSuCZYAMPC
	+Fn5rEfVOfcNL0fYGop54ukawwGVXI1/a1Nh4SbUKCMfMscwr6nSFGxl3bMAoFUu6DkDSE
	1WzqmjDw15yQs/4ZuPZCk64HYAEEG2ZxYNNhbfDjUOrtbdi2/AYsyiBU7j+Elo/EroccEw
	uyokvF1PsjHGOnA6xvHEFPr1ZD2uAhiVTI2vaawRjBHuxVyinNc/w6Dnkqmf2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1753465154;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lbnY2PZBQ/g7wij15XLksgfvT5W/oEMe6YHLHZWunfc=;
	b=Ub31MGLp9twlYyRvCEUIXLXQOHPoMPq1YfIJIJMl+bAeQJwAM87MVxjfjwck716kaUzB/O
	pDjXNS9JMtol6FR2PqanIWwPY2mykUqwEyVHFV2BbpiRLz9rnqDtZu+C89RCCMzNFnETJN
	qC8Kvw26viZHKfyJTaNPdJorqUhmoI8gEGYoFcgFDDWyz8Mz3pHH82f6KVGyba6TMqkuff
	PpI2RZ43VROLstHtcEze7gPRLFFoalYbSYEWxutBEv2aXBl4zdG+qXs/jjEezgS1pLscZf
	HFLKTZeh1B9s2NPODoNnCBLY4aFCY/BNRms/pCMonr5CYzcybqoApvNU9pi4/w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753465154; a=rsa-sha256; cv=none;
	b=PpqWf/MlRtILhTBMoA86oyzy1NXK9h89QP65mtRwOrwjD95QtmHdAR6BVoIuIv+9NPVbt7
	WLn9lAdcDqjcEo8pjR/ewAVKgpV0GckET4nEpKKgXn0NHOGCE5tQYs8MDmp/mIlbH5LJkl
	dsVTfi7aWoBkdJZDCs631BoG7AhCuV8NlhlNIfQAX1IeWLcBHQXDwUb2rzxPiD3zv5zJbP
	Oly6I0EGcuDF+DLEmNanjZVzym1vPrPSivUyJmrhnutdhcK10r1SflkzmPzlZ1R4SXBc4m
	0ei6zpT7Y6THJVubfxvgtTDNNSfUWteotf7vOEnX6o2O5qRwCOZ8XJuOxjeKOw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bpZqk1mLXzt7m;
	Fri, 25 Jul 2025 17:39:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56PHdENm012660;
	Fri, 25 Jul 2025 17:39:14 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56PHdEuN012657;
	Fri, 25 Jul 2025 17:39:14 GMT
	(envelope-from git)
Date: Fri, 25 Jul 2025 17:39:14 GMT
Message-Id: <202507251739.56PHdEuN012657@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: e1751ef89611 - main - udp: Fix a inpcb refcount leak
  in the tunnel receive path
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e1751ef896119d7372035b1b60f18a6342bd0e3b
Auto-Submitted: auto-generated

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=e1751ef896119d7372035b1b60f18a6342bd0e3b

commit e1751ef896119d7372035b1b60f18a6342bd0e3b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-07-25 13:10:24 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-07-25 17:39:00 +0000

    udp: Fix a inpcb refcount leak in the tunnel receive path
    
    When the socket has a tunneling function attached, udp_append() drops
    the inpcb lock before calling it.  To keep the inpcb alive, we bump the
    refcount.  After commit 742e7210d00b we only dropped the reference if
    the tunnel consumed the packet, but it needs to be dropped in either
    case.  if_ovpn is the only driver that can trigger this bug.
    
    Fixes:          742e7210d00b ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
    Reviewed by:    kp
    MFC after:      2 weeks
    Sponsored by:   Stormshield
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51505
---
 sys/netinet/udp_usrreq.c   | 11 ++++++++---
 sys/netinet6/udp6_usrreq.c | 11 ++++++++---
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index dafbaf6dc672..42cfb919e263 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -243,7 +243,6 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
 	struct sockaddr_in6 udp_in6;
 #endif
 	struct udpcb *up;
-	bool filtered;
 
 	INP_LOCK_ASSERT(inp);
 
@@ -252,13 +251,19 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
 	 */
 	up = intoudpcb(inp);
 	if (up->u_tun_func != NULL) {
+		bool filtered;
+
 		in_pcbref(inp);
 		INP_RUNLOCK(inp);
 		filtered = (*up->u_tun_func)(n, off, inp, (struct sockaddr *)&udp_in[0],
 		    up->u_tun_ctx);
 		INP_RLOCK(inp);
-		if (filtered)
-			return (in_pcbrele_rlocked(inp));
+		if (in_pcbrele_rlocked(inp))
+			return (1);
+		if (filtered) {
+			INP_RUNLOCK(inp);
+			return (1);
+		}
 	}
 
 	off += sizeof(struct udphdr);
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 304effa26e01..b3ed16fda713 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -142,7 +142,6 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
 	struct socket *so;
 	struct mbuf *opts = NULL, *tmp_opts;
 	struct udpcb *up;
-	bool filtered;
 
 	INP_LOCK_ASSERT(inp);
 
@@ -151,13 +150,19 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
 	 */
 	up = intoudpcb(inp);
 	if (up->u_tun_func != NULL) {
+		bool filtered;
+
 		in_pcbref(inp);
 		INP_RUNLOCK(inp);
 		filtered = (*up->u_tun_func)(n, off, inp,
 		    (struct sockaddr *)&fromsa[0], up->u_tun_ctx);
 		INP_RLOCK(inp);
-		if (filtered)
-			return (in_pcbrele_rlocked(inp));
+		if (in_pcbrele_rlocked(inp))
+			return (1);
+		if (filtered) {
+			INP_RUNLOCK(inp);
+			return (1);
+		}
 	}
 
 	off += sizeof(struct udphdr);